b'DOE F 1325.8\n(08-93)                                                                                     Department of Energy\nUnited States Government\n\n\nMemorandum\n          DATE:      January 26, 2007                              Audit Report Number: OAS-L-07-05\n     REPLY TO\n      ATTN OF:       IG-34 (A06GT035)\n\n      SUBJECT:       Report on "The Department of Energy\'s Implementation of Revised OMB\n                     Circular No. A-123"\n               TO:   Acting Chief Financial Officer, CF-1\n\n\n                     INTRODUCTION AND OBJECTIVE\n\n                     The Office of Management arid Budget\'s (OMB) revised Circular No. A-123\n                     (Circular) requires Federal agencies to assess the adequacy of their internal\n                     controls. Beginning in Fiscal Year (FY) 2006, the Circular requires agencies to\n                     strengthen their assessment, documentation and testing of internal controls over\n                     financial reporting and prepare an annual assurance statement on the operating\n                     effectiveness of those controls. In August 2005, the Department of Energy\'s\n                     (Department) Office of Chief Financial Officer (CFO) began efforts to implement\n                     the Circular.\n\n                     Concurrent with its FY 2006 implementation tasks, the Department was engaged\n                     in an effort to correct a material weakness in its financild management and\n                     reporting process. Given the resources required for that effort, the Office of CFO\n                     determined that the Circular would be implemented, beginning in FY 2006, using\n                     a three year phased approach. In the first phase of its implementation, the\n                     Department concentrated its efforts on assessing processes and controls with the\n                     potential for the greatest impact on the financial statement audit. OMB guidance\n                     permits such a phased approach, provided a scope limitation is reported and a\n                     qualified or statement of no assurance as to the effectiveness of the internal\n                     controls is issued. Given the importance of this effort, we initiated this review, to\n                     determine whether the Department had properly implemented the requirements\n                     established in the Circular.\n\n                     CONCLUSION AND OBSERVATIONS\n\n                     Overall we concluded that the first phase of the Department\'s evaluation of\n                     internal controls over financial reporting as of June 30, 2006, was carried out in a\n                     reasonable manner and generally conformed to requirements established by OMB.\n                     The Department properly reported the limited scope of its internal control\n                     assessment and qualified its assurance statement on the: effectiveness of its\n                     controls. We identified, however, certain issues that, ii\' not corrected, could\n\x0c                                                                                we\nimpact the Department\'s ability to fully implement the Circular. In particular,\nnoted that:\n\n    *   Risk assessments were not always prepared in accordance with\n        Department guidance; and,\n\n    *   Supporting documentation describing certain controls and the results of\n        testing had not been prepared or was not readily available.\n\n                              Progress This Fiscal Year\n\nThe Department made substantial progress in implementing the requirements in\nthe Circular during FY 2006. The Department established a Senior Assessment\nTeam and organized a Senior Management Council at Headquarters to provide\ncorporate governance and oversight. A Project Management Team was also\nestablished to manage the implementation of the program. The Department also\nestablished Site Assessment Teams to assess, document and test controls at the\nsite, program and facility level. It also identified materiality levels and the major\naccounts targeted for assessment: developed and communicated requirements to\nSite Assessment Teams, and deployed the Assessment and Reporting Tool\n(AART) for tracking the efforts at the program and site office level.\n\n                           Completing Risk Assessment\'!\n\nThe Department\'s A-123 implementation guidance developed by the Office of\nCFO identified 19 standard financial processes to be used during the FY 2006\ninternal control assessment effort. Using these standard processes, sites and\nprogram offices identified specific sub-processes - based on local operating\nprocedures - on which to assess risk. Sites and program offices were to then\nidentify one or more "inherent" risks associated with each sub-process and, as\nappropriate, assess each of the risks as high, moderate, or low. A basic\nassumption to be applied when determining "inherent risk" was that there was no\nconsideration of the related or offsetting internal controls that may be in place to\nprevent or detect errors.\n\nBased on an evaluation of a sample of assessments, completed by selected sites\nand programs, we determined that certain risk assessments were not performed in\naccordance with Departmental guidance. Specifically, the Office of Energy\nEfficiency and Renewable Energy incorrectly assessed "control" risk - the risk\nthat the existing internal controls would not be effective - rather than inherent\nrisk. While the Lawrence Livermore National Laboratory and\'Sandia National\nLaboratory properly identified one or more risks for each of their sub-processes,\nthey did not assess each of the identified risks. Instead, they assessed the\ncombined risk associated with a sub-process. A National Nuclear Security\nAdministration (NNSA) official told us that they made a judgment to be more\nconservative in assessing risk at these two sites and that combining sub-processes\nresulted in more risk sets rated as high. The downstream effect of rating areas\nhigher than necessary, however, is that unnecessary and costly controls may be\nput into place.\n\n                                          2\n\x0c                                                                                 with\nIn responding to our report, the Department\'s A-123 Project Manager agreed\nour observation that certain risk assessments did not comply with Department\n                                                                       its guidance\nguidance. He added that the Department is considering a change to\nthat would factor certain aspects of control risk into the risk assessment process.\n\n                               Documenting Results\n\nAs noted by the Circular, internal controls and the results of testing should be\nadequately documented. OMB emphasizes that documents describing controls\nand supporting testing should be readily available for use or review. As specified\nin the Department\'s implementation guidance, site and program offices were to\nuse the AART to, among other things, list the locations of specific documentation\nto support their assessment and testing efforts.\n\nWe found, however, that adequate supporting documentation had not alvays been\nprepared or was not readily available at the location described in the AART. For\nexample, documentation to support testing of eight entity controls by the NNSA\nwas not descriptive of the tests performed. Instead, it consisted of a single page of\nnotes in bullet format from a discussion with an individual at Headquarters. Many\nof the bullets did not clearly describe the test results. At the Pacific Northwest\nNational Laboratory (PNNL), more specific location descriptions were also\nneeded. In particular, references to document locations were sometimes not\nspecific, such as those that referred to documents of significant size - an\nAccounting Manual - rather than the specific control in question.\n\nIn responding to our report, an official from NNSA told us that many documents\ndescribing entity controls were inspected and that these documents were provided\nto our auditors. The documents provided, however, described the controls NNSA\nevaluated rather than the results of tests of these controls. According to the\nNNSA official, the only testing performed on the documents consisted of a single\ninquiry of an individual at Headquarters. Additionally, when we discussed the\nneed for specific document locations with PNNL officials, they took action to add\ngreater specificity in the AART.\n\nImplementation and Monitoring\n\nOverall, we concluded that the issues described above could impact the\nDepartment\'s implementation efforts. To its credit, the. Office of CFO\'s Project\nManagement Team has since provided additional training on risk assessment,\ndocumenting, evaluating and testing. These actions are positive steps that should,\nif properly implemented, help strengthen the Department\'s internal control\nassessment and testing process.\n\n\n\n\n                                           3\n\x0cSUGGESTED ACTIONS\n\nTo address the issues outlined in our report, we suggested that the Office of Chief\nFinancial Officer:\n\n      1. Determine whether additional clarifying guidance is needed and whether\n         additional training on the preparation of risk assessments and supporting\n         documentation is necessary; and,\n      2. Require sites or programs to revise their risk assessments and\n         documentation as necessary to correct issues discovered during our\n         review.\n\nNo formal recommendations are being made in this report, and a formal response\nis not required. We appreciate the cooperation of the various Departmental\nelements that provided information or assistance.\n\n\n\n\n                                       Rickey R. Hass\n                                       Assistant Inspector General\n                                         for Financial, Technology, and Corporate Audits\n                                       Office of Audit Services\n                                       Office of Inspector General\n\nAttachment\n\ncc:       Chief of Staff\n          Deputy Secretary\n          Administrator, National Nuclear Security Administration\n\n\n\n\n                                           4\n\x0c                                                                               Attachment\n\n\nSCOPE AND METHODOLOGY\n                                                                             No. A-123,\nWe examined the Department\'s implementation of the Revised OMB Circular\n                                                              controls. The evaluation\nAppendix A, regarding evaluation of and reporting on internal\nwas performed between July 2006 and January 2007.\n                                                                           Financial\nWe conducted interviews of officials in the Headquarters Office of Chief\n                                                                         revised\nOfficer who were responsible for implementation and monitoring of the\n                                                               Office, the Pacific\nrequirements; undertook site visits to the Richland Operations                  Service\nNorthwest National Laboratory, the National Nuclear Security Administration\n                                                           National Laboratory,   and\nCenter, Sandia National Laboratory, Lawrence Livermore\n                                                                                     and\nArgonne National Laboratory; conducted work at the Offices of Energy Efficiency\nRenewable Energy, and Science; and reviewed internal control, test, and remediation\n                                                                                      as it\ndocumentation. We assessed the FY 2006 Performance and Accountability Report\nrelates to OMB Circular No. A-123 to determine whether the results of site and program\n office evaluations were accurately reported. Also, we performed work to determine\n whether the Department developed corrective action plans for significant issues identified\n during its FY 2006 reporting process.\n\nOur review was made in accordance with generally accepted Government auditing.\nstandards and included tests of internal controls and compliance with laws and\n                                                                            we assessed\nregulations to the extent necessary to satisfy our objective. Accordingly,\ninternal controls related to the implementation procesis. Because our review was limited,\nit would not necessarily have disclosed all internal control deficiencies that may have\nexisted at the time of our evaluation. We did not rely on computer-processed data to\n accomplish our audit objective.\n\x0c'